---
layout: api
page_title: /sys/quotas/rate-limit - HTTP API
description: The `/sys/quotas/rate-limit` endpoint is used to create, edit and delete rate limit quotas.
---

# `/sys/quotas/rate-limit`

@include 'alerts/restricted-root.mdx'

The `/sys/quotas/rate-limit` endpoint is used to create, edit and delete rate limit quotas.

## Create or update a rate limit quota

This endpoint is used to create a rate limit quota with an identifier, `name`.
A rate limit quota must include a `rate` value with an optional `path` that can
either be a namespace or mount, and can optionally include a path suffix following
the mount to restrict more specific API paths.

| Method | Path                           |
| :----- | :----------------------------- |
| `POST` | `/sys/quotas/rate-limit/:name` |

### Parameters

- `name` `(string: "")` - The name of the quota.
- `path` `(string: "")` - Path of the mount or namespace to apply the quota.
  A blank path configures a global rate limit quota. For example `namespace1/`
  adds a quota to a full namespace, `namespace1/auth/userpass` adds a quota to
  `userpass` in `namespace1`, and `namespace1/kv-v2/data/foo/bar` adds a quota to
  a specific secret on a K/V v2 mount in `namespace1`. A trailing glob (`*`) can also
  be added as part of the path after the mount to match paths that share the same prefix
  prior to the glob. `namespace1/kv-v2/data/foo/*` would match both
  `namespace1/kv-v2/data/foo/bar` and `namespace1/kv-v2/data/foo/baz`. Updating this field on
  an existing quota can have "moving" effects. For example, updating `namespace1` to
  `namespace1/auth/userpass` moves this quota from being a namespace quota to a
  namespace specific mount quota. Non-global quotas are not inherited by child
  namespaces. **Note, namespaces are supported in Enterprise only**.
- `rate` `(float: 0.0)` - The maximum number of requests in a given interval to
  be allowed by the quota rule. The `rate` must be positive.
- `interval` `(string: "")` - The duration to enforce rate limiting for (default `"1s"`).
- `block_interval` `(string: "")` - If set, when a client reaches a rate limit
  threshold, the client will be prohibited from any further requests until after
  the 'block_interval' has elapsed.
- `role` `(string: "")` - If set on a quota where `path` is set to an auth mount with a
  concept of roles (such as `/auth/approle/`), this will make the quota restrict login
  requests to that mount that are made with the specified role. The request will fail if
  the auth mount does not have a concept of roles, or `path` is not an auth mount.
- `inheritable` `(bool: false)` - If set to `true` on a quota where `path` is set to a namespace,
  the same quota will be cumulatively applied to all child namespace. The `inheritable`
  parameter cannot be set to `true` if the `path` does not specify a namespace. Only quotas
  associated with the root namespace quotas are inheritable by default.

### Sample payload

```json
{
  "path": "",
  "rate": 897.3,
  "interval": "2m",
  "block_interval": "5m"
}
```

### Sample request

```shell-session
$ curl \
    --request POST \
    --header "X-Vault-Token: ..." \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
```

## Delete a rate limit quota

A rate limit quota can be deleted by `name`.

| Method   | Path                           |
| :------- | :----------------------------- |
| `DELETE` | `/sys/quotas/rate-limit/:name` |

### Sample request

```shell-session
$ curl \
    --request DELETE \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
```

## Get a rate limit quota

A rate limit quota can be retrieved by `name`.

| Method | Path                           |
| :----- | :----------------------------- |
| `GET`  | `/sys/quotas/rate-limit/:name` |

### Sample request

```shell-session
$ curl \
    --request GET \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
```

### Sample response

```json
{
  "request_id": "d0870811-455d-3dfd-459f-aee016e6fb68",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "block_interval": 300,
    "interval": 2,
    "name": "global-rate-limiter",
    "path": "",
    "rate": 897.3,
    "role": "",
    "type": "rate-limit"
  },
  "warnings": null
}
```

## List rate limit quotas

This endpoint returns a list of all the rate limit quotas.

| Method | Path                     |
| :----- | :----------------------- |
| `LIST` | `/sys/quotas/rate-limit` |

### Sample request

```shell-session
$ curl \
    --request LIST \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/quotas/rate-limit
```

### Sample response

```json
{
  "auth": null,
  "data": {
    "keys": ["global-rate-limiter", "kv-rate-limiter"]
  },
  "lease_duration": 0,
  "lease_id": "",
  "renewable": false,
  "request_id": "ab633ee1-a692-ba03-083b-f1bd91c51c28",
  "warnings": null,
  "wrap_info": null
}
```
